{
  config,
  pkgs,
  ...
}: let
  keys = import ../../../variables/keys.nix;
  inherit
    (import ../../lib/default.nix {
      inherit (pkgs) lib;
      inherit config;
    })
    mkUser
    ;
in {
  sops.secrets.sharedUsers-root = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };

  sops.secrets.sharedUsers-steveej = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };

  sops.secrets.sharedSshKeys-steveej = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    # neededForUsers = true;
    format = "yaml";
  };

  users.mutableUsers = false;

  users.extraUsers.root = {
    passwordFile = config.sops.secrets.sharedUsers-root.path;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;

    # TODO: investigate why this secret cannot be found
    # openssh.authorizedKeys.keyFiles = [
    #   config.sops.secrets.sharedSshKeys-steveej.path
    # ];
  };

  users.extraUsers.steveej = mkUser {
    uid = 1000;
    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
  };
}